While companies work round the clock to fix the damage done by a security attack, this company didn’t even notice that its security got compromised, until the hacker maxed out the storage of their servers.

According to a recent report, the security of Utah-based tech company InfoTrax Systems got breached over 20 times from May 2014 to March 2016. The hacker reportedly gained access to the company’s client data including the sensitive personal information of 1 million consumers.

The company then got sued by the United States Federal Trade Commission (FTC) for miserably failing to keep the personal information of its clients secure. Notably, the personal information mentioned above includes full names, social security numbers, physical and email addresses, telephone numbers, usernames, passwords, and even card details.

Even after the company detected this security violation, the hacker managed to pull off at least two more attacks. The attacker then proceeded to upload malicious code to InfroTrax’s distributor account to gather new card details.

Earlier this week, the FTC announced a proposed settlement ordering InfoTrax Systems to implement a “comprehensive data security program” to make sure such incidents do not happen in the future. Also, the company will have to go through third-party assessments of its information security program every two years.

“Service providers like InfoTrax don’t get a pass on protecting sensitive data they handle just because their clients are other businesses rather than individual consumers. As this case shows, it’s every company’s responsibility to protect customers’ personal information, especially sensitive data like Social Security numbers.”, said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

So, if it has been a while since you have changed your passwords, now would be a good time to check here to know if your email address has been compromised already in security attacks.